Post on 16-May-2015
description
Securing Data in MongoDB with Gazzang and ChefRobert Linden, Sr. Solutions Architect at Gazzang
April 12, 2023
What’s in your Cloud?
Gazzang - All rights reserved 201204/12/2023
What data are you storing?
What’s in your Cloud?
Gazzang - All rights reserved 201204/12/2023
How are you protecting that data?
What’s in your Cloud?
Gazzang - All rights reserved 201204/12/2023
How are you managing the keys?
• Since 2010, more than three million student records have been compromised due to hack attacks or lost, stolen or missing files.
• This year alone…
• 23,000 SSN’s breached at the University of North Florida
• 16,000 SSN’s, birth dates and
student ID’s breached from
Eugene, Oregon school district
• 650,000 records breached from
University of Nebraska
• 350,000 records from UNC
Charlotte
• and more….
Student Record Breaches
Gazzang - All rights reserved 201204/12/2023
04/12/2023
6Gazzang - All rights reserved 2012
Breaches Hit Every Industry
Gazzang - All rights reserved 2012
Data Security For MongoDB
Gazzang, 10gen and Opscode Partner to Deliver Automated Enterprise-Class Data Security for MongoDB
• Pre-built integration requires no changes to your application or database
• Leverages automation tools for distributed deployment
• World-class support available through Gazzang, 10gen and Opscode
04/12/2023
8
MongoDB Native Security
04/12/2023
Gazzang - All rights reserved 2012
Client
SSL encryption for client
connection
SSL encryption for inter-server
traffic
Admin Users Regular Users
user1 user2
user3
User authentication
Primary Secondary
Data Files Data Files
9
Education Use Case on MongoDB
04/12/2023
Gazzang - All rights reserved 2012
Node 1 Node 2
Data Files Data Files
Teacher
First Name Bob
Last Name Jones
Email bob@xx.edu
Phone 555-5555
SSN XXX-XX-XXXX
Student
First Name Alice
Last Name Smith
Email alice@yy.edu
Grade 5th
Address 804 Congress
City Austin
State TX
10
Cloud Security Challenges
• Protect Sensitive Data in the Cloud– Ensure sensitive data and encryption keys are never
stored in plain text nor exposed publicly – Maintain control of your encryption keys and your
proprietary data
• Ensure Big Data Security– Harden Big Data infrastructures that have relatively
weak security and no encryption protection– Maintain Big Data performance and availability
• Enable Compliance– Encrypt data at rest and enforce tight access
control policies– Protect your regulated data in the event of
a breach
04/12/2023 Gazzang - All rights reserved 2012
Gazzang - All rights reserved 2011
zNcrypt sits between the file system and ANY database, application or service running on Linux to encrypt data before it writes to the disk.
• AES 256 encryption• Process-based ACLs• Maximum performance• Transparent data encryption• Enterprise scalability• Packaged support for
MongoDB
04/12/2023
11
Gazzang zNcrypt™
12Gazzang - All rights reserved 2012
• Encryption
– Data at rest / AES-256
– File level encryption
– Excellent performance
• Access Control
– Process-based ACL rules
– Transparent data encryption
– Separate from users & groups
• Key Management
– Off-site key storage
– In the cloud / on premises
– Hardened & highly available
zNcrypt Architecture
04/12/2023
13
ACL Rules and Encryption
Gazzang - All rights reserved 2012
• MongoDB ACL Rule
“ALLOW @mongodata * /home/mymongo/mongodb-linux/bin/mongod”
This says that mongod is a trusted application, using the category @mongodata, and has access to the KSS where the Master Encryption Key is stored.
• MongoDB data node directory encryption
“ezncrypt --encrypt @mongodata /var/lib/mongodb/data/db/”
This says that /data/db directory is encrypted, along with any new file or data saved to it. Only the MongoDB process will be able to “see” the data by linking encryption to the ACL w/ @mongodata.
04/12/2023
14Gazzang - All rights reserved 2012
Key Management• zNcrypt KSS (Key Storage System)
– Hardened SaaS offering (or within enterprise / private cloud)– Secure access from zNcrypt client, multiple layers of security– SaaS KSS configured with high availability / failover
04/12/2023
15
Ease of Deployment
• Install zNcrypt– Package managers (yum, apt-get), Chef, Puppet, JuJu, etc
• Create master encryption key– Passphrase method (optional “split security”)– RSA Key file method
• Create ACLs – Simple command-lines (ALLOW/DENY style)– Almost any process or script allowed:
• Virtually any application, process or script: MongoDB, MySQL, Apache, Tomcat, backup software, document management, etc
• Encrypt data– Simple command line calls, down to the file level
Gazzang - All rights reserved 201204/12/2023
Chef – Opscode Community
Gazzang - All rights reserved 2012 1604/12/2023
Chef - GitHub
Gazzang - All rights reserved 2012 1704/12/2023
Live DemonstrationChef Using zNcrypt Cookbook
April 12, 2023
04/12/2023
19
Install MongoDB and zNcrypt with #chef-client
Gazzang - All rights reserved 2011
04/12/2023
20
Install MongoDB and zNcrypt with #chef-client
Gazzang - All rights reserved 2011
04/12/2023
21
Install MongoDB and zNcrypt with #chef-client
Gazzang - All rights reserved 2011
22
Gazzang provides big data security and diagnostics solutions and that help enterprises protect sensitive information and maintain performance in cloud environments
– Based in Austin, Texas– Funded by Austin Ventures and Silver Creek Ventures– 225+ customers– SaaS, Healthcare, Financial Services, Government, Technology
04/12/2023 Gazzang - All rights reserved 2011
Gazzang Overview
23
Thank You
Q&A
04/12/2023
Gazzang - All rights reserved 2012
24
Protect Your MongoDB Data
For more information contact us: info@gazzang.com
Robert Linden
robert.linden@gazzang.com
04/12/2023
Gazzang - All rights reserved 2012